An SQL injection flaw exists in the admin login routine of School Management System CMS 1.0, allowing attackers to inject malicious SQL via the username field. The flaw permits boolean-based blind SQL injection, enabling an attacker to craft payloads that cause the authentication logic to succeed without valid credentials. Once authenticated, the attacker gains full administrative privileges, which can be used to alter data, view confidential information, or further compromise the system. The vulnerability is classified as CWE‑89 and scored at CVSS 7.1, indicating a high risk if exploited.

The affected product is Wecodex Solutions School Management System CMS version 1.0. No other versions or upstream products are listed as vulnerable.

The estimated probability of exploitation is low, with an EPSS score of less than 1% and the vulnerability not appearing in the CISA KEV catalog. However, the attack vector requires an application‑level entry point to the processlogin endpoint and the ability to submit crafted username strings. Once access is achieved, an attacker can bypass authentication and perform any administrative action, resulting in full system compromise. Given the CVSS score and the nature of the flaw, it represents a serious security concern for organizations running the vulnerable CMS.